Cisco AMP for Endpoints Events Input
Prerequisites
- docker
- docker-compose
Usage
docker-compose up --buildaccess Splunk at http://localhost:8000
Configure splunkd to use your HTTP Proxy Server
In $SPLUNK_HOME/etc/system/local/server.conf (or any other applicable location, if you are using a deployment server),
make the following changes to the [proxyConfig] stanza:
[proxyConfig]
http_proxy = <string that identifies the server proxy. When set, splunkd sends all HTTP requests through
this proxy server. The default value is unset.>
https_proxy = <string that identifies the server proxy. When set, splunkd sends all HTTPS requests
through the proxy server defined here. If not set, splunkd uses the proxy defined in http_proxy. The
default value is unset.>
no_proxy = <string that identifies the no proxy rules. When set, splunkd uses the [no_proxy] rules to
decide whether the proxy server needs to be bypassed for matching hosts and IP Addresses. Requests going
to localhost/loopback address are not proxied. Default is "localhost, 127.0.0.1, ::1">You can also configure proxies by setting the environment variables HTTP_PROXY and HTTPS_PROXY.
Configure Splunk Web to use the key and certificate files
In $SPLUNK_HOME/etc/system/local/web.conf (or any other applicable location, if you are using a deployment server),
make the following changes to the [settings] stanza:
[settings]
enableSplunkWebSSL = true
privKeyPath = </home/etc/auth/mycerts/mySplunkWebPrivateKey.key >
Absolute paths may be used. non-absolute paths are relative to $SPLUNK_HOME
serverCert = </home/etc/auth/mycerts/mySplunkWebCertificate.pem >
Absolute paths may be used. non-absolute paths are relative to $SPLUNK_HOMEYou can also configure certificate by setting the environment variable SSL_CERT_FILE.
Nuances
Docker complains of an upgrade during startup. This is because the initial Splunk setup initializes some databases. Remove the container and start again.
docker-compose down
docker-compose up- The changes in input app require the Splunk to be restarted. When you have made some changes, restart Splunk:
docker-compose exec splunk sh -c '$SPLUNK_HOME/bin/splunk restart' - Do not push your local folder to git repository, as it stores values that belong to your unique Splunk instance.
- If you need to add a python library dependency - enter its name within the bin/requirements-splunk.txt and run
pip install -r bin/requirements-splunk.txt --target=$SPLUNK_HOME/lib/python2.7/site-packages. - By default, Splunk will display 2 info messages about version updates when you reach its dashboard for the first time. If you see other messages (warnings or errors) - you most certainly need to fix your input app to make them disappear.
- To perform a command within splunk python interpreter, run it with splunk cmd python, e.g.:
splunk cmd python amp4e_events_input.py --scheme
Testing
- Enter your admin credentials in test/support/config.py
- To execute all tests,
docker-compose exec splunk sh -c '$SPLUNK_HOME/bin/splunk cmd python -m unittest discover'. - If you'd like to run a single test, refer to it as to a module:
docker-compose exec splunk sh -c '$SPLUNK_HOME/bin/splunk cmd python -m unittest test.amp4e_events_input.test_stream_dict_manager' - When testing upgrading the app, you can uncomment the
splunk-testcontainer in docker-compose.yml. This will provide you with a fresh Splunk install to test installation/upgrading on.
Diag
If a customer is having issues with the app, you should consider providing an output of diag script to authorized Cisco representative:
splunk login
splunk diag --collect app:amp4e_events_inputThe script will result in a *.tar.gz file, which will contain data that will greatly help us figure out your issue. These data will include sensitive information about your Splunk instance, so please make sure you provide it ONLY to authorized Cisco representative
Release
General instructions
Whenever a new release is made, please keep in mind that default/app.conf should be updated accordingly - build attribute of the [install] stanza and version attribute of the [launcher] stanza must be changed if needed. The build specifies the assets version in order to know when to expire the browser cache. It should be an integer, which you increment after you change something in app/static before release, as per Splunk's recommendations. The version is a version string, constructed according to semver recommendations.
Gotchas
When installing or upgrading the app, Splunk simply copies all the files from the package provided into $SPLUNK_HOME/etc/apps/<your_package_name>. This means that if a file or folder is deleted in a newer version of the app, when a user upgrades their app, that file will remain. It needs to be called out specifically in the upgrade process documentation that the user will need to delete it from their Splunk server.
If a new folder is added at the top level of the app, it's name must be added to DIRS_TO_ARCHIVE in release/util/splunkbase_releaser.py to be included in the release package.
Splunkbase release
Creates a package for release on Splunkbase.
docker-compose exec splunk python3 /usr/bin/fab splunkbase-releaseKnown Issues
Errors
ValueError: Expected instance of Parameters, not <URLParameters host=export-streaming.amp.cisco.com port=443 virtual_host=/ ssl=True>-
This error occurs when two instances of the Pika library are included in your installation. If you encounter this error, check to see if the folder
$SPLUNK_HOME/etc/apps/amp4e_events_input/bin/pika/pikaexists on your Splunk server. If it does, remove it with:$ rm -rf $SPLUNK_HOME/etc/apps/amp4e_events_input/bin/pika/pika